Click here to load reader

Statistical intrusion detection in modern · PDF file Intrusion Detection Expert System (Denning, An intrusion Detection Model, IEEE Trans. on Soft. Eng., 1987) Statistical analysis

  • View
    6

  • Download
    0

Embed Size (px)

Text of Statistical intrusion detection in modern · PDF file Intrusion Detection Expert System...

  • Statistical intrusion detection in modern networks

    Michele Pagano

    Department of Information Engineering University of Pisa

    XIII International Asian School-seminar Problems of complex systems’ optimization

    September 18-22, 2017 Akademgorodok

  • Outline

    1 Theoretical background

    2 How to evaluate an IDS

    3 Anomaly Detection: Overview

    4 Anomaly Detection: Examples

    M. Pagano Statistical intrusion detection in modern networks 2 / 50

  • Theoretical background

    Outline

    1 Theoretical background Overview Taxonomy of the Intrusion Detection Systems Examples of the Intrusion Detection Systems

    2 How to evaluate an IDS

    3 Anomaly Detection: Overview

    4 Anomaly Detection: Examples

    M. Pagano Statistical intrusion detection in modern networks 3 / 50

  • Theoretical background Overview

    Why an intrusion detection system?

    Network security mainly means PREVENTION Physical protection for hardware Passwords, access tokens, etc. for authentication Access control list for authorization Cryptography for secrecy Backups and redundancy for authenticity . . . and so on

    BUT . . . . . . Absolute security cannot be guaranteed!

    M. Pagano Statistical intrusion detection in modern networks 4 / 50

  • Theoretical background Overview

    What is an Intrusion Detection System?

    Prevention is suitable when Internal users are trusted Limited interaction with other networks

    Need for a system which acts when prevention fails

    Intrusion Detection System An intrusion detection system or IDS is a software/hardware tool used to detect unauthorized access to a computer system or a network

    M. Pagano Statistical intrusion detection in modern networks 5 / 50

  • Theoretical background Overview

    A bit of History

    The history of IDSs can be split in three main blocks 1 First Generation IDSs (end of the 1970s)

    The concept of IDS first appears in the 1970s and early 1980s (Anderson, Computer Security Monitoring and Surveillance, Tech Rep 1980) Focus on audit data of a single machine Post processing of data

    2 Second Generation IDSs (1987) Intrusion Detection Expert System (Denning, An intrusion Detection Model, IEEE Trans. on Soft. Eng., 1987) Statistical analysis of data

    3 Third Generation IDSs (to come) Focus on the network Real-time detection Real-time reaction Intrusion Prevention System

    M. Pagano Statistical intrusion detection in modern networks 6 / 50

  • Theoretical background Overview

    A taxonomy of the intruders

    Intruders can be classified as Masquerader: an individual who is not authorized to use the computer and who penetrates a system’s access control to exploit a legitimate user’s account Misfeasor: a legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access, but misuses his/her privileges Clandestine User: an individual who seizes supervisory control of the system and uses the control to evade auditing and access controls or to suppress audit collection

    Anderson, Computer Security Monitoring and Surveillance, Tech Rep 1980

    M. Pagano Statistical intrusion detection in modern networks 7 / 50

  • Theoretical background Overview

    A taxonomy of the intrusions

    Eavesdropping and Packet Sniffing: passive interception of network traffic

    Snooping and Downloading

    Tampering and Data Diddling: unauthorized changes to data or records

    Spoofing: impersonating other users

    Jamming or Flooding: overwhelming a system’s resources

    Injecting Malicious Code

    Probing

    Exploiting Design or Implementation Flaws: as buffer overflow

    Cracking Passwords and Keys

    Denning, Cyberspace Attacks and Countermeasures, New York,1997

    M. Pagano Statistical intrusion detection in modern networks 8 / 50

  • Theoretical background IDS Taxonomy

    Host based vs. Network based

    Host based IDS Aimed at detecting attacks related to a specific host Architecture/Operating system dependent Processing of high level information (e.g. system calls) Effective in detecting insider misuse

    Network based IDS Aimed at detecting attacks towards hosts connected to a LAN Architecture/Operating system independent Processing data at lower level of granularity (packets) Effective in detecting attacks from the “outside”

    M. Pagano Statistical intrusion detection in modern networks 9 / 50

  • Theoretical background IDS Taxonomy

    Misuse based IDS vs. Anomaly based IDS

    Misuse based (Signature based, Rule based) IDS Identifies intrusion by looking for patterns of traffic or of application data presumed to be malicious Pattern of misuses are stored in a database Effective in detecting only “known” attacks Encrypted traffic ???

    Anomaly based IDS Identifies intrusions by classifying activity as either anomalous or normal Need a training phase to recognize normal activity Able to detect “new” attacks Generates more false alarms than a misuse based IDS

    M. Pagano Statistical intrusion detection in modern networks 10 / 50

  • Theoretical background IDS Taxonomy

    Stateless IDS VS Stateful IDS

    Stateless IDS Treats each event independently of others Simple system design High processing speed

    Stateful IDS Maintains information about past events The effect of a certain event depends on its position in the events stream More complex system design More effective in detecting distributed attacks

    M. Pagano Statistical intrusion detection in modern networks 11 / 50

  • Theoretical background IDS Taxonomy

    Centralized IDS VS Distributed IDS

    Centralized IDS All the operations are performed by the same machine More simple to realize Only one point of failure

    Distributed IDS Composed of several components

    Sensors which generate security events Console to monitor events and alerts and control the sensors Central Engine that records events and generate alarms

    May need to deal with different data formats Need of a secure communication protocol (IPFIX)

    M. Pagano Statistical intrusion detection in modern networks 12 / 50

  • Theoretical background IDS Examples

    SNORT

    Snort The most famous IDS Open source software tool Network based Signature based Centralized architecture

    Spade, the anomaly detection plug-in for Snort... is not supported any longer

    The rules database, as well as the system code, is available for download at the web site http://www.snort.org

    M. Pagano Statistical intrusion detection in modern networks 13 / 50

  • Theoretical background IDS Examples

    Attacks State of the Art

    Howard Lipson, CMU Software Engineering Institute CERT R©

    (Computer Emergency Response Team – by DARPA in 1988)

    M. Pagano Statistical intrusion detection in modern networks 14 / 50

  • Theoretical background IDS Examples

    IDS State of the Art

    Focus is on Network based IDSs (The only ones effective in detecting Distributed Denial of Service - DDoS) State of the art IDSs are Misuse Based

    Most attacks are realized by means of software tools available on the Internet Most attacks are “well-known” attacks

    BUT . . . . . . The most dangerous attacks are those written

    ad hoc by the intruder!

    M. Pagano Statistical intrusion detection in modern networks 15 / 50

  • Theoretical background IDS Examples

    The best choice?

    Combined use of both HIDS (for insider attacks) & NIDS (for outsider attacks) Misuse IDS (low False Alarm rate) & Anomaly IDS (for “new” attacks) Stateless IDS (fast data process) & Stateful IDS (for “complex” attacks)

    Distributed IDS Not a single point of failure More effective in monitoring large networks

    M. Pagano Statistical intrusion detection in modern networks 16 / 50

  • Theoretical background IDS Examples

    The best choice?

    M. Pagano Statistical intrusion detection in modern networks 17 / 50

  • Evaluation

    Outline

    1 Theoretical background

    2 How to evaluate an IDS Receiver Operating Characteristics (ROC) Curve Evaluation Datasets

    3 Anomaly Detection: Overview

    4 Anomaly Detection: Examples

    M. Pagano Statistical intrusion detection in modern networks 18 / 50

  • Evaluation ROC

    Basic definitions

    A = alarm −A = not an alarm I = attack (intrusion) −I = not an attack False Positive (FP): the error of rejecting a null hypothesis when it is actually true. In our case it implies the creation of an alarm in correspondence of normal activities

    P(A| − I) = False positive (alarm) probability

    False Negative (FN): the error of failing to reject a null hypothesis when it is in fact not true. In our case it corresponds to a missed detection

    P(−A|I) = False negative probability

    M. Pagano Statistical intrusion detection in modern networks 19 / 50

  • Evaluation ROC

    ROC (Receiver Operating Characteristics) Curve

    0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0

    0.1

    0.2

    0.3

    0.4

    0.5

    0.6

    0.7

    0.8

    0.9

    1

    False Alarm Rate

    D e

    te c ti o

    n R

    a te

    Non Stati

Search related